| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aJn-q-SebbQoyiyy@Mac.home>
Date: Mon, 11 Aug 2025 07:31:07 -0700
From: Boqun Feng <boqun.feng@...il.com>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Daniel Almeida <daniel.almeida@...labora.com>,
Miguel Ojeda <ojeda@...nel.org>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Andreas Hindborg <a.hindborg@...nel.org>,
Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Rafael J. Wysocki" <rafael@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Krzysztof Wilczy´nski <kwilczynski@...nel.org>,
Benno Lossin <lossin@...nel.org>, Dirk Behme <dirk.behme@...il.com>,
linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org,
linux-pci@...r.kernel.org
Subject: Re: [PATCH v2] rust: irq: add &Device<Bound> argument to irq
callbacks
On Mon, Aug 11, 2025 at 04:25:50PM +0200, Alice Ryhl wrote:
> On Mon, Aug 11, 2025 at 4:24 PM Boqun Feng <boqun.feng@...il.com> wrote:
> >
> > On Mon, Aug 11, 2025 at 04:05:31PM +0200, Alice Ryhl wrote:
> > > On Mon, Aug 11, 2025 at 3:56 PM Boqun Feng <boqun.feng@...il.com> wrote:
> > > >
> > > > On Mon, Aug 11, 2025 at 12:33:51PM +0000, Alice Ryhl wrote:
> > > > [...]
> > > > > @@ -207,8 +207,8 @@ pub fn new<'a>(
> > > > > inner <- Devres::new(
> > > > > request.dev,
> > > > > try_pin_init!(RegistrationInner {
> > > > > - // SAFETY: `this` is a valid pointer to the `Registration` instance
> > > > > - cookie: unsafe { &raw mut (*this.as_ptr()).handler }.cast(),
> > > > > + // INVARIANT: `this` is a valid pointer to the `Registration` instance
> > > > > + cookie: this.as_ptr().cast::<c_void>(),
> > > >
> > > > At this moment the `Regstration` is not fully initialized...
> > > >
> > > > > irq: {
> > > > > // SAFETY:
> > > > > // - The callbacks are valid for use with request_irq.
> > > > > @@ -221,7 +221,7 @@ pub fn new<'a>(
> > > > > Some(handle_irq_callback::<T>),
> > > > > flags.into_inner(),
> > > > > name.as_char_ptr(),
> > > > > - (&raw mut (*this.as_ptr()).handler).cast(),
> > > > > + this.as_ptr().cast::<c_void>(),
> > > > > )
> > > >
> > > > ... and interrupt can happen right after request_irq() ...
> > > >
> > > > > })?;
> > > > > request.irq
> > > > > @@ -258,9 +258,13 @@ pub fn synchronize(&self, dev: &Device<Bound>) -> Result {
> > > > > ///
> > > > > /// This function should be only used as the callback in `request_irq`.
> > > > > unsafe extern "C" fn handle_irq_callback<T: Handler>(_irq: i32, ptr: *mut c_void) -> c_uint {
> > > > > - // SAFETY: `ptr` is a pointer to T set in `Registration::new`
> > > > > - let handler = unsafe { &*(ptr as *const T) };
> > > > > - T::handle(handler) as c_uint
> > > > > + // SAFETY: `ptr` is a pointer to `Registration<T>` set in `Registration::new`
> > > > > + let registration = unsafe { &*(ptr as *const Registration<T>) };
> > > >
> > > > ... hence it's not correct to construct a reference to `Registration`
> > > > here, but yes, both `handler` and the `device` part of `inner` has been
> > > > properly initialized. So
> > > >
> > > > let registration = ptr.cast::<Registration<T>>();
> > > >
> > > > // SAFETY: The `data` part of `Devres` is `Opaque` and here we
> > > > // only access `.device()`, which has been properly initialized
> > > > // before `request_irq()`.
> > > > let device = unsafe { (*registration).inner.device() };
> > > >
> > > > // SAFETY: The irq callback is removed before the device is
> > > > // unbound, so the fact that the irq callback is running implies
> > > > // that the device has not yet been unbound.
> > > > let device = unsafe { device.as_bound() };
> > > >
> > > > // SAFETY: `.handler` has been properly initialized before
> > > > // `request_irq()`.
> > > > T::handle(unsafe { &(*registration).handler }, device) as c_uint
> > > >
> > > > Thoughts? Similar for the threaded one.
> > >
> > > This code is no different. It creates a reference to `inner` before
> > > the `irq` field is written. Of course, it's also no different in that
> > > since data of a `Devres` is in `Opaque`, this is not actually UB.
> > >
> >
> > Well, I think we need at least mentioning that it's safe because we
> > don't access .inner.inner here, but..
> >
> > > What I can offer you is to use the closure form of pin-init to call
> > > request_irq after initialization has fully completed.
> > >
> >
> > .. now you mention this, I think we can just move the `request_irq()`
> > to the initializer of `_pin`:
> >
> > ------>8
> > diff --git a/rust/kernel/irq/request.rs b/rust/kernel/irq/request.rs
> > index ae5d967fb9d6..3343964fc1ab 100644
> > --- a/rust/kernel/irq/request.rs
> > +++ b/rust/kernel/irq/request.rs
> > @@ -209,26 +209,26 @@ pub fn new<'a>(
> > try_pin_init!(RegistrationInner {
> > // INVARIANT: `this` is a valid pointer to the `Registration` instance
> > cookie: this.as_ptr().cast::<c_void>(),
> > - irq: {
> > - // SAFETY:
> > - // - The callbacks are valid for use with request_irq.
> > - // - If this succeeds, the slot is guaranteed to be valid until the
> > - // destructor of Self runs, which will deregister the callbacks
> > - // before the memory location becomes invalid.
> > - to_result(unsafe {
> > - bindings::request_irq(
> > - request.irq,
> > - Some(handle_irq_callback::<T>),
> > - flags.into_inner(),
> > - name.as_char_ptr(),
> > - this.as_ptr().cast::<c_void>(),
> > - )
> > - })?;
> > - request.irq
> > - }
> > + irq: request.irq
> > })
> > ),
> > - _pin: PhantomPinned,
> > + _pin: {
> > + // SAFETY:
> > + // - The callbacks are valid for use with request_irq.
> > + // - If this succeeds, the slot is guaranteed to be valid until the
> > + // destructor of Self runs, which will deregister the callbacks
> > + // before the memory location becomes invalid.
> > + to_result(unsafe {
> > + bindings::request_irq(
> > + request.irq,
> > + Some(handle_irq_callback::<T>),
> > + flags.into_inner(),
> > + name.as_char_ptr(),
> > + this.as_ptr().cast::<c_void>(),
> > + )
> > + })?;
> > + PhantomPinned
> > + },
> > })
> > }
> >
> >
> > Thoughts?
>
> That calls free_irq if request_irq fails, which is illegal.
>
Ah, right. I was missing that. Then back to the "we have to mention that
we are not accessing the data of Devres" suggestion, which I think is
more appropriate for this case.
Regards,
Boqun
> Alice
Powered by blists - more mailing lists